Blog Feed
Protectimus vs Rublon: A Detailed Comparison of Two Multi-Factor Authentication Solutions
When looking for a reliable multi-factor authentication (MFA) solution, it’s easy to get lost in the variety of options available on the market. To help you navigate these choices, we’ve launched a series of comparison articles that examine how the Protectimus MFA platform stacks up against other prominent providers. In this article, we’ll take a closer look at Protectimus and Rublon. Both companies provide comprehensive two-factor authentication (2FA) solutions, but differ significantly in deployment options, features, provided authentication methods, and customization options. We’ll walk you through the key differences in server-side deployment, supported technologies, core features, authentication methods, and pricing. Prefer short reads? See the comparison table below! 1. Server-Side Component Key Difference: Rublon is a cloud-based solution. Protectimus offers both fully cloud-based and comprehensive on-premise MFA server deployment options. Rublon Rublon is a cloud-based two-factor authentication solution. This means Rublon hosts and manages all authentication servers in its infrastructure. When an organization activates Rublon MFA, the cloud platform handles all authentication logic, configuration, policies, and event logs. There is no option to deploy the authentication server on-premise — this makes Rublon easier to set up and manage, but limits its applicability in environments with strict data residency, privacy, or regulatory requirements. The Rublon Admin Console is the central control point. From there, administrators can: Configure MFA rules and policies (e.g. IP allowlisting, adaptive access conditions). View authentication events and audit logs. Assign applications for protection, such as VPN, Microsoft 365, RDP, and ADFS. Add or remove users. Deploy Rublon’s connectors to protect systems and integrate with the Rublon cloud backend. Users are authenticated through connectors or agents (e.g., Rublon Windows Logon & RDP agent, VPN plugin, SSO connector), which communicate with the Rublon cloud to verify credentials and deliver second factors like push notifications or TOTP challenges. These connectors are lightweight components that do not operate as full authentication servers, but rather serve as a bridge between local applications and the Rublon cloud. There is no local fallback option — if the Rublon cloud service is unreachable (e.g., due to internet outage), MFA functionality will be affected. Protectimus Protectimus offers its clients a choice between two deployment options: a Cloud MFA Service or a Self-Hosted On-Premises MFA Platform. This flexibility caters to businesses of all sizes, from a small startup to larger companies and enterprises with strict security and compliance needs. Protectimus Cloud Service The cloud version of Protectimus MFA is a fully managed service hosted in secure, geographically distributed data centers. It allows organizations to: Quickly integrate MFA into their infrastructure with minimal setup. Avoid the overhead of maintaining authentication infrastructure. Scale easily as user count or service coverage grows. Access the Protectimus Administration Panel to set up the settings and reports. All user data, OTP generation, policy enforcement, and access control are managed within Protectimus’ secure cloud backend. Integration usually happens through: API and SDKs (Java, PHP, Python). Pre-built plugins that include connectors for LDAP, Windows, RADIUS, ADFS, Azure AD, OWA, Citrix, VPNs, and others. Protectimus Cloud appears to be very user-friendly for companies looking to lower their infrastructure management without sacrificing security. Protectimus On-Premise Platform For enterprises and government agencies that require complete control over their authentication system, Protectimus offers a full-featured on-premise platform. This platform is installed in the customer’s private infrastructure (local data...
read moreOntario iGaming MFA Requirements: AGCO Cybersecurity Standards Explained
As Ontario’s iGaming market grows, the cybersecurity expectations for operators are increasing. The Alcohol and Gaming Commission of Ontario (AGCO) requires all licensed iGaming operators to follow strict cybersecurity rules. In this article, we outline what iGaming operators in Ontario need to know about AGCO’s cybersecurity regulations. We will pay special attention to MFA requirements, best practices for implementation, and how to remain compliant in 2025 and beyond. 1. AGCO Cybersecurity Requirements: An Overview The Ontario Alcohol and Gaming Commission (AGCO) mandates strict cybersecurity standards in its Registrar’s Standards for Internet Gaming to be implemented by all Internet gaming licensees from licensed online casinos and sportsbooks. The standards aim to protect the integrity, security, and fairness of Ontario iGaming business. Key requirements include: Secure Authentication – operators must implement strong access controls to prevent unauthorized access to player data and internal systems. Access Management – only authorized staff should have access to sensitive systems based on job requirement and function. Data Protection – all sensitive data must be encrypted both in transit and at rest. System and Network Security – operators must use firewalls, anti-malware tools, and intrusion detection systems to protect their infrastructure. Ongoing Risk Assessments – regular evaluations must be conducted to identify and address cybersecurity risks. Incident Response and Recovery – there must be provisions for discovery, response, and recovery from cyber security incidents. Logging and Monitoring – systems log activity and access, with monitoring to detect suspicious behavior. Third-Party Security – third-party integrations and services must comply with the same level of security. While not all control is specified at a level of technical specifics, AGCO does expect that operators take a risk-based approach and apply security controls commensurate with the sensitivity of information and systems. MFA would be a central control in that context, and especially for protecting privileged access and sensitive user data. Requirement Area Checklist Items Access Control Role-based access is enforced across all systems Default/admin passwords are changed and secured Inactive user accounts are regularly reviewed and removed Access rights are reviewed periodically Secure Authentication Multi-Factor Authentication (MFA) is enabled for all privileged/admin users MFA is offered to all players as an optional feature Strong password policies are enforced No shared accounts are used for system access Data Protection Player data is encrypted in transit and at rest Sensitive data is securely stored Backups are encrypted and securely stored System & Network Security Firewalls and anti-malware tools are active and updated Intrusion detection and prevention systems are deployed Servers and apps are patched regularly Secure coding practices are followed Risk Management Annual cybersecurity risk assessments are performed Threat models are updated regularly Risk mitigation controls are implemented Logging & Monitoring System and access logs are enabled and stored securely Logs are monitored for suspicious activity Real-time alerts are configured for critical events Incident Response Documented incident response plan is in place Roles and escalation procedures are clearly defined Drills are conducted regularly All incidents are logged, reviewed, and reported Third-Party Security Vendors are vetted for security and compliance Agreements include cybersecurity requirements Vendor access is limited and monitored MFA is enforced for third-party access Audit & Documentation All cybersecurity policies are documented Compliance evidence (logs, reports) is retained Controls and records are available for audits 2. Multi-Factor Authentication in AGCO Standards...
read moreProtectimus vs. Okta MFA: A Comprehensive Comparison
When seeking a multi-factor authentication solution, it can be quite challenging to figure out which one best suits your needs. With this in mind, we decided to start a series of articles comparing the Protectimus multi-factor authentication system with MFA services provided by other leading companies in the field. In this article, we will compare Protectimus MFA with Okta MFA. Both companies offer robust and comprehensive two-factor authentication services, but they do differ in some ways. Let’s find out what each company provides, focusing on key aspects: server-side deployment models, technologies, features, MFA methods, and pricing. Prefer short reads? See the comparison table below! 1. Server-Side Component Key Difference: Okta is cloud-only. Protectimus offers both cloud-based and on-premise MFA server deployment options. Okta Okta is a fully cloud-based multi-factor authentication solution. This modern approach to MFA services helps Okta’s clients save both time and resources, as they can avoid the need to maintain their own MFA servers. Okta has already built a reliable, highly available, and secure infrastructure that handles all authentication requests. However, a fully cloud-based approach does have its drawbacks. Many companies seek an on-premise MFA platform because they need the multi-factor authentication server to be installed within their own infrastructure. This is most often the case when full control over user data is required by government regulations or internal security policies. Protectimus Protectimus MFA solution is available as both a cloud-based MFA service and an on-premise MFA platform. 1. Cloud-Based MFA Service Similar to Okta, Protectimus offers a cloud-based (SaaS) MFA service, where all authentication requests are processed on Protectimus’ cloud servers. Protectimus’ cloud service includes high availability, automatic updates, and scalability. 2. On-Premise MFA Platform Protectimus offers an on-premise multi-factor authentication platform for organizations that require full control over their user data and need to deploy an MFA server within their infrastructure. The Protectimus On-Premise MFA platform can be installed on the customer’s own servers or in their private cloud, it works in isolated networks and allows customers to set up any clusters and firewalls they need to be sure that their MFA server is as fault-tolerant and secure as possible. The on-premise MFA solution is a usual requirement for financial, government, and healthcare organizations, as local storage of user information is often required by GDPR, PCI DSS, HIPAA, and other standards. Moreover, an on-premise MFA platform, unlike a cloud-based one, can be customized if the client has any specific requirements. You can find out more about the differences between the cloud-based MFA service and the on-prem MFA platform in our article “On-Premise 2FA vs Cloud-Based Authentication“. Available in cloudyesyesAvailable on-premisesnoyes 2. Features Key Difference: Okta focuses on adaptive authentication and risk-based policies. Protectimus provides advanced access controls and transaction data signing (CWYS) for greater customization and security. Okta Note: Nearly all features described in this section can be activated only with Okta’s most expensive payment plan Adaptive MFA. Self-Service for Users. Users can enroll and manage authentication methods without IT department intervention. IP filtering. This feature allows administrators to enforce access policies based on IP addresses, blocking or allowing authentication attempts from specific locations. Adaptive MFA. Evaluates user behavior, device, network, and geolocation to detect anomalies and enforce step-up authentication if a login attempt is deemed risky. Risk-Based Authentication. Uses AI-driven analytics to assess...
read moreThe Architecture of Protectimus On-Premise MFA Platform
Among the available MFA deployment options, on-premise solutions have gained traction, especially among organizations with stringent security policies and a strong desire for control. Unlike cloud-based alternatives, on-premise MFA systems are installed directly on the client’s infrastructure or private cloud, offering unparalleled oversight and customization opportunities. On-prem MFA solutions eliminate reliance on external networks, ensuring maximum protection for sensitive data and systems. The Protectimus On-Premise MFA Platform is a versatile and comprehensive multi-factor authentication solution tailored to meet the unique needs of businesses prioritizing security and control. Designed to operate seamlessly within isolated networks, our platform combines advanced security features with the flexibility to adapt to diverse organizational requirements. In this article, we will delve into the pros and cons of on-premise MFA, explore the standout features of the Protectimus 2FA platform, and provide insights into its architecture including the standalone cluster architecture. Download the Protectimus On-Premise MFA Platform Pros and Cons of On-Premise MFA Using on-premise MFA provides unparalleled control over your data, processes, and the system’s fault tolerance, as well as robust protection against potential attacks. Organizations can design a security system around their authentication server tailored to their specific needs. This includes deploying firewalls, completely isolating the server from external access, and implementing any other security measures deemed necessary. Advantages: Complete Control: full authority over sensitive data, system operations, and infrastructure. Enhanced Security: operates in isolated environments, reducing vulnerabilities and minimizing exposure to external threats. Customization: allows tailored configurations and the addition of unique features to meet specific organizational needs. Compliance: facilitates adherence to stringent regulatory requirements by keeping all data within the organization\u2019s premises. Disadvantages: Higher Costs: requires a significant upfront investment in infrastructure, setup, and ongoing maintenance. Resource-Intensive: demands skilled IT personnel and continuous administrative effort. Longer Implementation Time: compared to cloud-based solutions, on-premise systems take more time to configure, deploy, and optimize. Key Features of the Protectimus On-Premise MFA Platform The Protectimus On-Premise MFA Platform can be installed locally or in a client’s private cloud, granting full control over the authentication system, including sensitive user data. The platform supports multidomain environments, clustering, replication, and backup functionality to ensure resilience and security. Additional features include geographic and time-based filters, event notifications, detailed analytics and reporting, role-based access control, and a data-signing feature (CWYS – Confirm What You See). The platform is compatible with all Protectimus two-factor authentication methods including both hardware and software tokens and supports OTP delivery via SMS (SMPP protocol), email, and chatbots. It enables integration across diverse environments and ensures high availability and reliability. Cross-Platform Compatibility: Supports Linux, FreeBSD, Windows, and other major operating systems. Compatible with Google Chrome, Mozilla Firefox, Internet Explorer, and other popular browsers. Industry-Standard Security: Fully compliant with OATH OTP standards. Utilizes HMAC, HOTP, TOTP, and OCRA algorithms for generating secure one-time passwords. Scalable and Flexible: Includes a self-service portal for users to manage tokens and personal data. Allows administrators to configure access filters based on geography, time, or user behavior. Enables multi-node setups for large enterprises with globally distributed users. Protectimus MFA System Architecture Protectimus is built following the best practices of SOA (Service-Oriented Architecture), MVC (Model-View-Controller), and RESTful design principles. This foundation ensures seamless scalability, fault tolerance, and high performance. Let’s look at the overall solution architecture presented below. Performance Optimization: Client-Side: implements browser caching,...
read moreMulti-Factor Authentication for LDAP
LDAP helps organizations manage access to critical systems, but passwords alone aren’t enough to keep attackers out. Adding multi-factor authentication (MFA) to LDAP can significantly boost security. This article explains what LDAP is, the difference between the LDAP protocol and servers, and how to smartly integrate the Protectimus MFA solution for LDAP to provide stronger protection. Begin LDAP MFA setup LDAP: What Is It? LDAP stands for Lightweight Directory Access Protocol. This standard protocol is widely used by organizations to manage user accounts and access directory servers. LDAP facilitates communication between a Service Provider and an Identity Provider, performing tasks such as user authentication, permission management, and directory updates across a network. Organizations value LDAP for its speed, scalability, and ease of use, relying on on-premises LDAP servers, such as Microsoft Active Directory and OpenLDAP, to run their critical business applications. When a user attempts to log in, LDAP verifies whether the authentication is successful. This makes securing LDAP with MFA essential for any business. LDAP Protocol vs. LDAP Server: Key Differences LDAP protocol is a tool designed for accessing and managing information in user directories. It reads and updates data stored in user directories. Meanwhile, an LDAP server refers to any server functioning as a user directory service (e.g., Active Directory, OpenLDAP, Red Hat Directory Server, IBM Security Directory Server, Novell eDirectory, Apache Directory Server, etc.). Why Add Multi-Factor Authentication to LDAP? LDAP servers store and organize critical information, such as user credentials and permissions. The LDAP protocol is responsible for managing user accounts and accessing the LDAP servers with critical information. Protecting user credentials and controlling access to user accounts remain key priorities in today’s cybersecurity. Cybersecurity specialists often secure LDAP connections by wrapping the LDAP protocol in TLS/SSL (which is then called LDAPS). However, this is not enough. Multi-factor authentication (MFA), also known as two-factor authentication (2FA), is the best way to ensure that LDAP authentication is protected from any attacks aimed at compromising user accounts. Multi-factor authentication is a must for any corporate network protection. With MFA, you add another layer of protection to password-based authentication, which almost eliminates the possibility of corporate accounts being hacked and perfectly secures user accounts from phishing, keylogging, social engineering, man-in-the-middle attacks, brute force, credential stuffing, and other similar attacks. One more reason to add MFA for LDAP is to meet the PCI DSS, GDPR, and other similar regulations’ requirements. How Protectimus MFA Integration with LDAP Works? Protectimus multi-factor authentication can be integrated into your LDAP-based infrastructure in several ways. We provide an open RESTful API, SDKs, and a wide range of ready-to-use plugins for virtually any software, operating system, VPN, or VDI service that requires MFA protection within a corporate environment. Explore integration options However, the easiest and most convenient solution for LDAP MFA is Protectimus DSPA (Dynamic Strong Password Authentication). It enables seamless integration of multi-factor authentication directly with an LDAP server, adding MFA to all entry points that rely on the LDAP server for authentication in a single step. Alternatively, the admin can choose to enable multi-factor authentication for a specific group of users in LDAP, rather than applying MFA to all users. Here’s what LDAP MFA with Protectimus DSPA looks like: You integrate the Protectimus On-Premise MFA platform with your LDAP server, which appends a...
read moreWhy Protectimus Recommends the SHA256 Algorithm
As cyber threats become more advanced, choosing the right cryptographic algorithm is essential to keep data secure. SHA256 stands out among other options because it offers strong protection against vulnerabilities and aligns with top industry standards. In this article, we’ll dive into why Protectimus endorses SHA256 and how this algorithm supports the security of our 2FA solutions. Order SHA-256 TOTP Token Protectimus SHARK 1. Understanding TOTP Tokens and Hashing Algorithms TOTP tokens serve as an additional layer of protection, providing a unique and time-sensitive password for each login attempt. TOTP, or Time-Based One-Time Password, is a mechanism that generates one-time passwords valid for a short period – 30 or 60 seconds. The process of generating TOTP passcodes involves the utilization of a hashing algorithm, such as SHA-1 or SHA-256, to convert a shared secret and the current time into a unique one-time password. This shared secret is typically known to both the server and the user’s device, ensuring that both parties can independently generate the same OTP at any given moment. The time-based element is crucial to the security of TOTP tokens. Both the server and the user’s device must be in sync regarding time. The OTP is valid only for a short window of time, usually 30 seconds, after which it becomes invalid and useless for any future login attempts. This time factor introduces an additional level of complexity for potential attackers trying to predict or brute-force the correct OTP. To fully grasp how TOTP tokens work, it’s essential to delve into the underlying hashing algorithms SHA-1 and SHA-256. But what is a hash? What Is Hash? A hash function takes an input (or ‘message’) and converts it into a fixed-length string of characters, typically a sequence of numbers and letters. This output is commonly referred to as the hash value or hash code. The critical characteristic of a hashing algorithm is that it is a one-way process, meaning that it is computationally infeasible to reverse-engineer the original input from the hash value. This property ensures that sensitive data, such as passwords and TOTP secrets, remains well protected. It’s important to understand the difference between encryption and hashing. While encryption involves transforming data into ciphertext that can be reversed using a specific key, hashing irreversibly transforms data into a fixed-size string of characters (hash). Hash functions like SHA-1 and SHA-256 generate unique hash values that are practically impossible to reverse-engineer, ensuring the security of TOTP tokens. The importance of secure TOTP token generation cannot be overstated. It safeguards sensitive information, strengthens authentication mechanisms, and bolsters the overall security posture of systems implementing 2FA. By adopting robust hashing algorithms like SHA-256, organizations can enhance their defenses against potential threats, providing users with a more secure and reliable authentication experience. See How TOTP Algorithm Works Using TOTP Token Generator 2. Vulnerabilities and Risks of SHA-1 in TOTP Token Systems SHA1, once considered a secure hashing algorithm, has been found to possess several vulnerabilities when used in TOTP token systems. These weaknesses can pose certain security risks, compromising the integrity of the one-time passwords and making systems more susceptible to attacks. However, transitioning to the more advanced SHA-256 algorithm can address these issues and enhance the overall security of TOTP token systems. Collision Vulnerabilities One of the primary vulnerabilities of SHA-1...
read moreProtectimus Customer Stories: 2FA for Ipak Yo’li Bank
Ipak Yo’li Bank is one of the leading commercial banks in Uzbekistan, offering a wide range of financial services. The bank is actively expanding its digital infrastructure, with a strong focus on data security, 2FA, and protecting its clients’ information. We chose Protectimus for several key reasons. First, it allows us to host the MFA server on our premises, a crucial requirement for both our information security and legal departments. Secondly, it provides comprehensive multi-factor authentication coverage for all entry points to our corporate banking infrastructure, all from a single provider. Thirdly, the option to purchase a lifetime license for Protectimus MFA software has allowed us to secure access to our employees’ accounts for the long term. The implementation process was smooth, thanks to the excellent support provided by the Protectimus team at every stage. We primarily use MFA for Windows accounts and RDP connections, and the software has proven easy to install, configure, and use for our employees. Additionally, we’ve successfully used RADIUS integration, and as our infrastructure grows, we plan to expand our use of Protectimus integrations. We highly recommend Protectimus as a customer-oriented MFA provider with reliable products and a supportive team. Information Security Director at Ipak Yo’li Bank Key tasks for implementing 2FA for Ipak Yo’li Bank The administrators of the Ipak Yo’li Bank set the following tasks for the two-factor authentication (2FA) provider To secure employee account access when connecting via Windows and RDP. To implement multi-factor authentication for all entry points to the bank’s infrastructure. To utilize an in-house multi-factor authentication server for enhanced security. To ensure long-term protection by purchasing a lifetime license for the MFA solution. The following Protectimus 2FA products were chosen to solve the above mentioned tasks Protectimus On-Premise Platform – an on-site two-factor authentication platform (a lifetime license was purchased for its use); Protectimus Winlogon & RDP – a solution designed to secure Windows accounts, both locally and through RDP connections; Protectimus RADIUS – a component that integrates with any software or hardware supporting RADIUS authentication; Protectimus Smart – an MFA app for generating one-time passwords, available on iOS and Android. Protectimus Two – hardware TOTP tokens for generating one-time passwords. Challenges and Solutions Securing Windows Accounts and RDP The Protectimus Winlogon & RDP multi-factor authentication solution was successfully implemented to safeguard employee account access. This helped prevent unauthorized access and strengthened the security of the bank’s infrastructure. The Protectimus two-factor authentication solution for Windows and RDP protects both local accounts and remote desktops (RDP). It is simple to deploy across multiple computers using GPO and supports automatic registration of users and tokens, making it ideal for corporate environments. It also functions in offline mode on local desktops. RADIUS integration The Protectimus RADIUS component enabled seamless integration of Protectimus multi-factor authentication with the bank’s existing infrastructure, allowing the Protectimus MFA server to connect with any software or hardware that supports RADIUS authentication. This ensured protection for all critical entry points. Lifetime license for the Protectimus On-Premise Two-Factor Authentication Platform For Ipak Yo’li Bank, ensuring maximum data protection was a top priority. Deploying an on-premise 2FA platform on their own servers proved to be the best solution. This approach avoided sharing user data with third parties, guaranteeing security and system reliability. By purchasing a lifetime license for the Protectimus...
read moreStrengthening Security with Multi-Factor Authentication for RADIUS
As technology evolves, so do the methods of cyberattacks, making traditional authentication vulnerable. This is where Multi-Factor Authentication (MFA) steps in, offering an extra layer of defense. In this article, we delve into the synergy between MFA and RADIUS-enabled devices and software, exploring how this dynamic duo bolsters protection against modern security challenges and how to integrate multi-factor authentication for RADIUS. 1. What is RADIUS In computer networking, RADIUS, or Remote Authentication Dial-In User Service, is a protocol used to manage and secure user access to a network. It operates as a central authentication and authorization system, ensuring that only authorized users can connect to network resources. RADIUS facilitates user authentication by verifying usernames and passwords. It’s commonly employed in scenarios such as Wi-Fi access points, Virtual Private Networks (VPNs), and other remote access systems. RADIUS plays a vital role in enhancing network security by enabling administrators to control user access and monitor usage while maintaining a centralized and efficient authentication process. Integrating multi-factor authentication (MFA) can significantly strengthen this authentication process. Multi-factor authentication or two-factor authentication (2FA) adds an extra layer of security by requiring users to provide a second piece of information, such as a one-time code generated on a mobile device. In this article, we’ll explore why enhancing your RADIUS network security is crucial by implementing multi-factor authentication, and how to add MFA via RADIUS to elevate the security of network access. Distinguishing Between RADIUS Protocol, RADIUS Server, and RADIUS Client Let’s break down the RADIUS puzzle for a clearer picture: The RADIUS protocol stands at the core of this system, serving as the communication framework that enables secure data exchange between RADIUS servers and clients. It employs a client-server model where the RADIUS client, often a networking device seeking authentication for its users, sends access requests to the RADIUS server. This protocol ensures the confidentiality and integrity of sensitive information during transmission, safeguarding user credentials from potential threats. RADIUS servers, on the other hand, serve as the guardians of authentication. These specialized servers store user credentials and related information in a centralized database. When a RADIUS client forwards an access request, the RADIUS server validates the user’s credentials and responds with an acceptance or denial message. This centralized approach streamlines user management by allowing administrators to enforce policies and access controls uniformly, reducing administrative overhead and enhancing security. Meanwhile, RADIUS clients encompass devices that require user authentication for accessing network resources. These clients can range from Wi-Fi access points and switches to VPN gateways. Upon receiving a user’s access request, the RADIUS client relays the credentials to the RADIUS server for validation. If successful, the RADIUS client grants the user access to the requested services; if not, access is denied. This mechanism ensures that only authorized users can utilize network resources, bolstering the overall security posture. Understanding RADIUS and Its Vulnerabilities While RADIUS serves as a stalwart guardian of network access, it’s not immune to vulnerabilities. The RADIUS protocol lacks encryption for the packets exchanged between the client and server, except for the password. While the password is encrypted, the overall security of RADIUS relies heavily on its proper implementation. However, even with flawless execution, if a hacker only needs to overcome a password to breach an account, the vulnerability remains significant. Traditional single-factor authentication,...
read moreOn-Premise 2FA vs Cloud-Based Authentication
The basic idea behind any type of multi-factor authentication is communication between an MFA device and a server. An MFA server can be set up either on-premise (locally within your company’s infrastructure) or in a cloud. Both approaches have their pros and cons. In this post, we aim to give you a comprehensive comparison of cloud multi-factor authentication vs on-premise 2FA solutions to help you choose the best 2-factor authentication for your business. Test the Protectimus on-premise 2FA platform How 2-Factor Authentication Works Unlike single-factor authentication, which requires only a passcode, multi-factor authentication requires two, or all three of the next determinants: Something you know, which is your user password;Something you possess, which is your MFA security device or token;Something you are, or your biometrics for TouchID, FaceID, and the like. For MFA authentication to validate the user’s identity, the user’s token and multi-factor authentication server are required to share a secret key. So, any OATH 2FA authentication will work like this: The server and the user share a secret seed.The user logs in the application or website protected with MFA and enters the user login credentials.What happens next rests on the 2FA algorithm used. Either the user’s token mixes its secret key with the running time (TOTP), or with a counter (HOTP), or utilizes the challenge/response algorithm (OCRA). The token then provides the end-user with an OTP to enter on the protected website.The server goes through the same key+counter/time/challenge process and compares both values. If the values received from the token and the server are the same, the user is granted access. And, as we’ve already established, a two-factor authentication vendor can set up an MFA server either in the cloud or locally in the client’s environment. Now let’s look closer into cloud vs on-premise multi authentication. | Read also: Two-Factor Authentication Solutions Comparison: Google Authenticator vs. Protectimus On-Premise 2FA Pros and Cons Most 2-factor authentication providers offer on-premise solutions to those clients who need full control over all their systems and operations and have rigorous security policies. Local multi-factor authentication software installation allows the utmost protection for your server and your users. An on-premise 2FA server does not require any connection to the Internet and other outside networks, thus you can set it up on an isolated network. With on-premise 2FA not only do you have the fullest control over the system’s operations, databases, and all the sensitive data, you also have full knowledge of the platform’s equipment. This gives you many advantages, starting with the confidence in the system’s efficiency, and ending with the ability to quickly fix any issues if they occur. Naturally, local MFA setup comes with all the reporting tools you might require, including those for gathering stats, managing users and secret keys, etc. And if you need any custom features Protectimus team can add them for you. We can not say for every 2FA provider on the market, but the Protectimus On-premise Platform is very versatile. The platform runs on any major operating system like Windows, Linux, FreeBSD, etc. And it supports Google Chrome, Mozilla Firefox, Internet Explorer. We comply with every industry standard and uphold all the major OTP algorithms (HMAC, HOTP, TOTP, OCRA). Of course, there are drawbacks. You will have to spend quite a lot of time, money, and...
read moreProtectimus Customer Stories: 2FA for Volet
Volet is a popular payment system for convenient international payments and transactions with cryptocurrencies. Millions of people around the world use the Volet payment system services daily Volet has been cooperating with Protectimus since 2015, and we are extremely pleased with the results of this cooperation. Over the past years, we’ve had only positive cases of working together. Protectimus helped us at every stage, from integration to adding additional features that solved our specific tasks. For example, when we decided to abandon SMS as the two-factor authentication method, Protectimus suggested using chatbots in instant messengers to deliver one-time passwords, which is much easier, cheaper, and safer than SMS. For the entire period of using Protectimus 2FA, we receive service in the 24/7 format without any breakdowns or other issues, and the Protectimus support services are beyond praise. Using Protectimus, we are confident that Volet infrastructure and users are well protected. Protectimus gives us what money can’t buy – not a sense of security, but REAL security. I highly recommend it for implementation. Artem Sh., Information Security Director at Volet Key tasks for implementing 2FA for Volet The administrators of the Volet payment system set the following tasks for the two-factor authentication (2FA) provider To protect the accounts of Volet employees with 2FA. To protect the accounts of end users of the Volet payment system with 2FA. To add an additional layer of protection against phishing and data spoofing. To provide a choice of different types of 2FA tokens for Volet payment system end users. To organize targeted delivery of hardware 2FA tokens to the end users of the payment system. To find a way to deliver one-time passwords to the Volet end users that will be as convenient as SMS, but at the same time more secure and less expensive. The following Protectimus 2FA products were chosen to solve the above mentioned tasks Protectimus Cloud Two-Factor Authentication (2FA) Service; Users groups functionality is realized using the Resources; Geographic filters; IP filtering function; CWYS (Confirm What You See) data signing function; Classic hardware 2FA tokens Protectimus Two; Application for generating one-time passwords Protectimus Smart OTP (iOS and Android); Delivery of one-time passwords via Protectimus Bot chatbots in Telegram, Facebook Messenger, and Viber. Challenges and Solutions To perform the integration using API The functionality of integration with Protectimus two-factor authentication (2FA) service via API is available even for the free service plan. API integration documentation is publicly available on the Protectimus website. The Protectimus team is also ready to connect with the customer to help with the integration remotely, if necessary. To set different two-factor authentication (2FA) rules for the Volet employees’ accounts and payment system end users’ accounts The Protectimus two-factor authentication (2FA) service allows dividing users into groups using Resources. Volet administrators have created two 2FA Resources – one for the end users and another for company employees. These Resources have different security rules. For example, geographic filters and IP filtering are activated for the Volet employees. Besides, they can use only hardware 2FA tokens. At the same time, filters are not activated for the Volet end users, but the data signing function CWYS (Comfirm What You See) is. Also, the Volet end users have the opportunity to choose one of three types of 2FA tokens: hardware OTP tokens,...
read more